RiskSense Platform – the industry’s most comprehensive, intelligent platform for managing cyber risk.
S P O T L I G H T
Apache Struts Understanding how Apache Struts vulnerabilitiescould impact your organization
Apache Struts is a free, open-source Model View Controller (MVC) framework. Introduced around 2006, this framework is extensively used in creating Java-based web applications. Over the last 12 years, we have observed an increase in Apache Struts weaponization; with this information in mind, an unpatched Apache Struts vulnerability (CVE-2017-5638) was the foundation of a significant data breach that put Apache Struts into the spotlight. This weakness emphasized the impending risks for Apache Struts-based applications. Even today, scanners do not detect all known vulnerabilities; as of 10/10/2017, the leading scanners still missed 25 total unique Common Vulnerabilities and Exposures (CVEs).
In this spotlight report, we analyze Apache Struts-related vulnerability weaponization patterns spanning the last decade. We also provide insight into exploit patterns and explain how these patterns can define an organization’s risk management strategy.
Page 2
Introduction
CVE-2017-5638 Timeline
Apache Struts Vulnerabilities’ Weaponization Patterns
Weaponization Timeline and Exploit Patterns
What Does This Mean for Organizational Cyber Risk Management?
3
3
4
6
7
Table of Contents
Apache Struts in the Spotlight • November 2017
Spotlight • Apache Struts – Understanding how Apache Struts vulnerabilities could imapct your organization
Background
Apache Struts in the Spotlight • November 2017
Mega Data BreachBreaking News
Attack Occured
3 4 5 6 7 8 9 109.7. 2017
CVE-2017-5638 Published
RiskSense Prioritized CVE-2017-5638 in the Platform
3 4
Exploit Released
3.6.17NVD Released3.10.17
3.9.17 3.25.17
CVE-2017-5638 Timeline
Introduction
Figure 1
Developers use Apache Struts’ MVC framework to build Internet-facing web applications that regularly accept and execute user input. User inputs are processed at the server side using parsers or internal objects. These input handlers are subjected to remote code execution (RCE)-based exploits and arbitrary command injections resulting from underlying implementation flaws. Among the 27 Apache Struts vulnerabilities found with exploits, we observed the following:
• The average vulnerability disclosure time latency for RCE-based vulnerabilities is 39 days and 29 days for non-RCE-based vulnerabilities.
The exploit belonging to both the remote and web application category is CVE-2017-5638.
CVE-2017-5638 is an incorrect exception handling, error message generating vulnerability present during file upload attempts in Jakarta Multipart parser in the following Apache Struts versions:
• Apache Struts 2.2.3.x before 2.3.32• Apache Struts 2.5.x before 2.5.10.1
This vulnerability allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. Figure 1 shows CVE-2017-5638’s overall timeline, including the vulnerability’s initial disclosure and exploitation in the wild. While the vendor disclosed the vulnerability and patch on 03/06/2017, an applicable exploit was released on 03/09/2017. It is important to note that RiskSense was the only organization that uncovered the related exploit so early. We were able to do this by tracking Apache Struts code commits in Github.
The vulnerability was accepted into the National Vulnerability Database (NVD) on 03/10/2017. It should be noted that the NVD had a delay of four days in accepting and publishing this critical vulnerability. This delay between a vendor disclosing a vulnerability and the vulnerability’s publication in the NVD is known as vulnera-bility disclosure time latency. Based on the prevalence of the exploit in the wild, RiskSense prioritized this vulnerability for our clients on 03/25/2017. As predicted by RiskSense (based on the exploit’s trend in the wild), the vulnerability was used in a high-pro-file attack that resulted in a mega data breach.
Page 3 Spotlight • Apache Struts – Understanding how Apache Struts vulnerabilities could imapct your organization
Table 1
Exploit Type
RCE
Non-RCE
Both
17 days after vendor disclosure
30 days after vendor disclosure
3 days after vendor disclosure
20
6
1
Weaponization Latency (in Days)Exploit Count
Apache Struts in the Spotlight • November 2017
Page 4
After analyzing CVE-2017-5638’s event timeline, it is evident that a critical vulnerability had not been prioritized in the target organization's risk management process. There may be several reasons for such lack of prioritization, such as:
• Unavailability of an actionable intelligence platform• Weak risk prioritization strategy
An efficient risk management strategy demands a proper vulnerability prioritization process. RiskSense’s vulnerability prioritization process is supported by weaponization pattern mining and exploitability analysis. Weaponization is defined as creating malicious content (such as malware, exploits, etc.) that
exploits a vulnerability. Here, we present our findings on vulnerability weaponization and related exploit patterns for Apache Struts vulnerabilities. Such exploit pattern analysis allows us to predict exploitability of vulnerabilities, and correlat-ing this information with the target client infrastructure allows us to better prioritize vulnerabilities for efficient remediation.
Figure 2 shows the Apache Struts-related vulnerabilities’ disclosure time latency patterns over the last ten years. The vulnerability disclosure time latency shows the latency (in days) between the vendor release date and NVD publication date for a given vulnerability. Vulnerability criticality is determined from the Common Vulnerability Scoring System (CVSS) score.
Latency in days before a CVE appears in NVD
4
80
15
55
289
5
17
41
41
49
49
49
14
8
55
83
17
26
66
4
54
14
14
10
5
18
39
0
5
210 284
156
124
0 days
50 days
100 days
150 days
200 days
250 days
10 2.610
10
10
10
9.3
9.3
9.3
9.3
9.3
9.3
9.3
9.3
9.3
7.8
7.57.5
7.5 7.57.5
7.5
7.5
7.5
7.5
6.8
6.8
6.4
5.8
5
5
5
5
5
4.3
4.34.3
CVE-2017-5638CVE-2011-1772
CVE-2016-3082
CVE-2016-0785
CVE-2013-4316
CVE-2012-0838
CVE-2016-3081
CVE-2013-2251
CVE-2013-2135
CVE-2013-2134
CVE-2013-2115
CVE-2013-1966
CVE-2013-1965
CVE-2012-0392
CVE-2012-0391
CVE-2014-0114
CVE-2014-0094
CVE-2006-1546CVE-2017-9791
Data is up-to-date as Oct 2nd, 2017
CVE-2016-4438CVE-2016-4436
CVE-2016-3087
CVE-2015-1831
CVE-2014-0113
CVE-2014-0112
CVE-2006-1547
CVE-2017-9805
CVE-2012-0394
CVE-2013-2248
CVE-2011-5057
CVE-2012-1007
CVE-2012-1006
CVE-2005-3745
CVE-2008-6504
24 CVEs with CVSS > 7
13 CVEswith CVSS < 7
CVSS v2
CVEs have applicable exploits
Spotlight • Apache Struts – Understanding how Apache Struts vulnerabilities could imapct your organization
Apache Struts Vulnerabilities’ Weaponization Patterns
Figure 2
CVE-2008-6505
CVE-2010-1870
CVE-2012-0393
Page 5 Spotlight • Apache Struts – Understanding how Apache Struts vulnerabilities could imapct your organization
Table 2
Table 3
Apache Struts in the Spotlight • November 2017
We use the NVD as a reference for computing the vulnerability disclosure time latency, since the NVD is considered a standard repository for vulnerability publication and notification. The following table shows the Apache Struts-related CVEs with their severity, associated CVSS V2/V3 scores, NVD Vulnerability Latency, and Exploit Type. All CVSS scores provided below were
obtained from the NVD. As such, the NVD applied CVSS V3 scores only for CVEs from 2016 and later. The NVD Vulnerability Disclosure Time Latency denotes the time (in days) it took from the vendor’s vulnerability disclosure to the NVD’s vulnerability publication.
We were able to make the following observations using the information in Table 2 and Figure 2:
1. Table 2 and Figure 2 show that vulnerability disclosure time latency is present for the majority of vulnerabilities.2. Table 3 highlights the CVEs that have a time latency of more than 100 days:
CVE
CVE-2008-6504
CVE-2012-0391
CVE-2012-0838
CVE-2016-4436
284
156
210
124
Latency (in Days)
CVE
CVE-2011-1772
CVE-2005-3745
CVE-2012-1006
CVE-2012-1007
CVE-2008-6504
CVE-2008-6505
CVE-2010-1870
CVE-2011-5057
CVE-2014-0094
CVE-2013-2248
CVE-2012-0393
CVE-2012-0394
CVE-2017-9805
CVE-2014-0112
CVE-2014-0113
CVE-2015-1831
CVE-2016-3087
CVE-2016-4436
CVE-2016-4438
CVE-2017-9791
CVE-2006-1546
CVE-2014-0114
CVE-2006-1547
CVE-2012-0391
CVE-2012-0392
CVE-2013-1965
CVE-2013-1966
CVE-2013-2115
CVE-2013-2134
CVE-2013-2135
CVE-2013-2251
CVE-2016-3081
CVE-2012-0838
CVE-2013-4316
CVE-2016-0785
CVE-2016-3082
CVE-2017-5638
Severity
Low
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium/High
High
High
High
High/Critical
High/Critical
High/Critical
High/Critical
High
High
High
High
High
High
High
High
High
High
High
High
High
High
High
High/Critical
High/Critical
CVSS V2
2.6
4.3
4.3
4.3
5.0
5.0
5.0
5.0
5.0
5.8
6.4
6.8
6.8
7.5
7.5
7.5
7.5
7.5
7.5
7.5
7.5
7.5
7.8
9.3
9.3
9.3
9.3
9.3
9.3
9.3
9.3
9.3
10
10
10
10
10
NVD Vuln. Latency
80
1
5
5
284
0
39
18
5
5
14
14
10
54
4
66
26
124
17
3
8
55
8
156
14
49
49
49
41
41
17
5
210
9
28
5
4
Exploit Type
Remote
Remote
WebApps
WebApps
Remote
Remote
Remote
Remote
Remote
Remote
WebApps
Remote
Remote
Remote
Remote
No Exploit
Remote
No Exploit
No Exploit
WebApps
No Exploit
Remote
No Exploit
WebApps
WebApps
Remote
Remote
Remote
Remote
No Exploit
Remote
Remote
No Exploit
No Exploit
No Exploit
No Exploit
Remote, Webapps
CVSS V3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.8
9.8
9.8
9.8
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
8.1
N/A
N/A
8.8
9.8
10
8.1
Page 6 Spotlight • Apache Struts – Understanding how Apache Struts vulnerabilities could imapct your organization
We analyzed the weaponization timelines for all CVEs with exploits. Particularly, it is interesting to identify if the weapon-ization occurs during the vulnerability disclosure timeline. This means that organizations that are susceptible to such vulnera-bilities are at even more risk due to the following reasons:
1. Organizations relying on NVD for timely vulnerability disclosures are highly vulnerable during the vulnerability disclosure latency.2. When weaponization occurs during latency, some organi- zations are at even higher risk of a data breach or falling prey to massive cyber attacks.
We define weaponization states through relationships between the vendor's CVE disclosure date, patch/workaround date, exploit weaponization date, and NVD disclosure date, as shown in Figure 3. We can determine an exploit's organizational impact from the order of these events. From this, we mapped four unique weaponization states, as shown below:
Exploit released before NVD publication and before patch releaseExploit released before NVD publication and after patch releaseExploit released after NVD publication and after patch releaseExploit released after NVD publication and before patch release
Weaponization Timeline and Exploit Patterns
< NVD, <Exploit released before NVD published before
patch released
<NVD , <Exploit released after NVD published after
patch released
CVE-2014-0094CVE-2014-0112CVE-2014-0113CVE-2014-0114
Exploit released 14 days before patch was released
2005
2008
2011
2012
2014
2016
2017
CVE-2011-1772CVE-2011-5057
Data is up-to-date as Oct 2nd, 2017
Figure 3
CVE-2012-0391CVE-2012-0392CVE-2012-0393CVE-2012-0394CVE-2012-1006CVE-2012-1007
CVE-2017-5638CVE-2017-9791CVE-2017-9805
CVE-2005-3745
CVE-2016-3081CVE-2016-3087
CVE-2013-1965CVE-2013-1966CVE-2013-2115CVE-2013-2134CVE-2013-2248CVE-2013-2251
2013
CVSS v22.6 4.3 5.0
5.86.46.8
7.57.8
9.3 10
< < NVDExploit released after patch released before
NVD publishedCVE-2010-1870
CVE-2008-6504CVE-2008-6505Exploit released 139 days before patch was released
2010
3. Among the 27 CVEs that have applicable exploits, 26 are subjected to vulnerability disclosure latency. This can be observed from the data presented in Table 2. 4. It is also interesting to note that among the 27 CVEs with exploits, 12 of those CVEs are low or medium severity vulnerabilities. This emphasizes the fact that CVE severity is not a crucial determinant factor when identifying high-risk CVEs. Organizations typically focus on remediating high-severity CVEs; however, low and medium severity CVEs should also be prioritized in the remediation strategy based on their applicable exploits. 5. The majority of the associated exploit types are remote, meaning they could be delivered and executed through an RCE strategy. This observation again emphasizes why organizations should focus on tackling RCE-based exploits while securing their Apache Struts-based application infrastructure.
Apache Struts in the Spotlight • November 2017
Page 7 Spotlight • Apache Struts – Understanding how Apache Struts vulnerabilities could imapct your organization
Table 4
Apache Struts in the Spotlight • November 2017
What Does This Mean for Organizational Cyber Risk Management?It is evident from the data breach (caused by unpatched CVE-2017-5638) how organizations are falling behind in the vulnerability prioritization and mitigation game. RiskSense’s observations from the latency and weaponization patterns makes cyber risk management through vulnerability prioritization a multi-faceted and complex problem, especially if organizations are using diverse software and hardware stacks and do not receive timely updates on applicable vulnerabilities (due to a lack of a reliable unified notification source), then they are secure only until the weaponization of those vulnerabilities.
Even if exploitable vulnerabilities are revealed to organizations, they often fail to gauge the risk of such vulnerabilities to their organization's business and fail in prioritization. This is due to the lack of capabilities that will prioritize vulnerabilities not just based on their severity (we have already seen vulnerabilities with CVSS < 7 have malicious exploits) but also on their potential exploitability.
Organizations should implement their risk mitigation around RCE-based exploits and their related vulnerabilities, which scanners often fail to detect. We continue to see recent trends
suggesting that RCE-based exploits are some of the most effective exploits, as highlighted by CVE-2017-5638 and CVE-2017-9805.
To this end, it is extremely critical for organizations to adapt a threat- and risk-centric approach to vulnerability prioritization and remediation. Such approaches should consider both the organization's asset criticality and historical analysis of weaponization patterns of vulnerabilities so that both exploitability and risk of vulnerabilities can be predicted accurately.
The following table shows CVE weaponization patterns by year. As mentioned previously, CVSS V3 scores are only included for vulnerabilities from 2016 and later. Weaponization Latency is defined as the time (in days) it took from the vendor disclosure to the creation of an exploit targeting the vulnerability. The following bullets explain how to interpret the weaponization latency values presented in Table 4.
Our analysis on applicable exploits reveal interesting patterns in both exploit delivery and underlying weaknesses in Apache Struts. Note that most low and medium severity vulnerabilities also have associated exploits. An organization may prioritize only resolving high vulnerabilities, leaving them weak to these exploits.
We also observed that remote exploits are used more frequently for weaponization. Most of the applicable exploits are delivered through URL code injection, some of which target the underlying weakness in the Object-Graph Navigation Library (OGNL). The remaining set of exploits are divided into cross-site scripting (XSS) and HTTP header-based injections.
• A weaponization latency of zero means an exploit was released the same day the vulnerability was disclosed by the vendor. • A positive weaponization latency means that the exploit was released before the vendor disclosed the vulnerability. • A negative weaponization latency means the vulnerability was disclosed before an exploit was applied.
Year
20052008 20102011 2012 2013 2014 2016 2017
CVE
CVE-2005-3745CVE-2008-6504 CVE-2008-6505CVE-2010-1870CVE-2011-1772CVE-2011-5057CVE-2012-0391CVE-2012-0392CVE-2012-0393CVE-2012-0394CVE-2012-1006CVE-2012-1007CVE-2013-1965CVE-2013-1966CVE-2013-2115CVE-2013-2134CVE-2013-2248CVE-2013-2251CVE-2014-0094CVE-2014-0112CVE-2014-0113CVE-2014-0114CVE-2016-3081CVE-2016-3087CVE-2017-5638CVE-2017-9791CVE-2017-9805
CVSS V2/V3
4.35.05.05.02.65.09.39.36.46.84.34.39.39.39.39.35.89.35.07.57.57.59.3/8.17.5/9.810/107.5/9.86.8/8.1
Exploit Type
RemoteRemoteRemoteRemoteRemoteRemoteWebAppsWebAppsWebAppsRemoteWebAppsWebAppsRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemoteRemote, WebAppsWebAppsRemote
Weaponization Latency
0-145 139
-5 -77 14
-154 -12 -12 -12
-1 -1
-14 -8 -8 0
-2 -22 -53 -53
-7 -53
-9 -25 -3 0 0
© 2017 RiskSense, Inc. All rights reserved. RiskSense and the RiskSense logo are registered trademarks of RiskSense, Inc. Spotlight_ApacheStruts_11092017
RiskSense Platform – the industry’s most comprehensive, intelligent platform for managing cyber risk.
Contact Us Today to Learn More About RiskSenseRiskSense, Inc. | +1 844.234.RISK | +1 505.217.9422 | [email protected]
SCHEDULE A DEMOCONTACT US